General discussion

Locked

Problems with VPN over dialup ISP

By McKayTech ·
I have a client who is having trouble with the VPN connection to our network. He is running the Cisco VPN client on an NT Workstation machine and connects to his ISP (UUnet) by dialup (56k v.90).

The problem we are having is that he can transferup to 2000 bytes (yes - that's bytes) by FTP and it works just fine. Any more than that and his FTP client just hangs (either using WSFTPLE or from the NT command line). Without the VPN client, everything works fine. On Monday, we're going to upgrade to the v3.0.2 VPN client (currently at v2.5) but I'm skeptical that will fix this problem.

When I do a traceroute from our VPN Concentrator (Cisco/Altiga) to his workstation, it is 16 hops and the last hop (from the ISP to his workstation) has a latency of between 250-300 msec.

Has anyone else seen something similar and have you found a solution?

paul

This conversation is currently closed to new comments.

5 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Problems with VPN over dialup ISP

by mpdcsup In reply to Problems with VPN over di ...

Have you tried using PASV mode?

(Sorry, I couldn't pass up the opportunity to hail the all mighty TechPoint God!)

Collapse -

Problems with VPN over dialup ISP

by McKayTech In reply to Problems with VPN over di ...

Thanks for the hailing! We had tried PASV at one point but I appreciated the reminder to include that on my checklist of things to take another look at. A couple of other interesting pieces of information came to light after I posted and one was that he is using NT4 SP4 because it is a corporate standard and I seem to recall some VPN related issues that were addressed in SP5.

Collapse -

Problems with VPN over dialup ISP

by al In reply to Problems with VPN over di ...

Check TCP MSS...Here's a snippet from a major VPN Vendor's database (Their name has been removed)...

Whenever a packet gets encrypted, it gets larger by the size of about one IP header. If the original packet is already full ethernet size (1500 bytes) then we will need to fragment. A lot of routers on the Internet will drop fragments.


When you change the maximum segment size, you basically tell the device to rewrite the MSS option field in the TCP SYN handshake to be whatever you specify (usually 1400). This will trick the 2 hosts into negotiating a smaller packet size, eliminating fragmentation and improving performance through the VPN.

Contact me @ al@tt600.org if you want some more info...

-AL

Collapse -

Problems with VPN over dialup ISP

by McKayTech In reply to Problems with VPN over di ...

I appreciate the information about the packet size. I had been recently looking at MTU issues on an ATM problem but it didn't occur to me to look at the VPN client from that perspective. We are currently using the Cisco-recommended MTU of 1400 butit is certainly worth considering the problem from that perspective.

thanks!

Collapse -

Problems with VPN over dialup ISP

by McKayTech In reply to Problems with VPN over di ...

This question was closed by the author

Back to Security Forum
5 total posts (Page 1 of 1)  

Related Discussions

Related Forums